Browse code
bb11281 - Reworked reverted upack.c crash patch to fix regression false negatives.
Steven Morgan authored on 2015/03/27 01:24:02Showing 1 changed files
| ... | ... |
@@ -302,6 +302,8 @@ int unupack(int upack, char *dest, uint32_t dsize, char *buff, uint32_t vma, uin |
| 302 | 302 |
loc_esi += 4; |
| 303 | 303 |
cli_dbgmsg("Upack: ecx counter: %08x\n", j);
|
| 304 | 304 |
|
| 305 |
+ if (((uint64_t)count+j) * 4 > UINT_MAX) |
|
| 306 |
+ return -1; |
|
| 305 | 307 |
if (!CLI_ISCONTAINED(dest, dsize, loc_esi, (j*4)) || !CLI_ISCONTAINED(dest, dsize, loc_edi, ((j+count)*4))) |
| 306 | 308 |
return -1; |
| 307 | 309 |
for (;j--; loc_edi+=4, loc_esi+=4) |
| ... | ... |
@@ -359,6 +361,8 @@ int unupack(int upack, char *dest, uint32_t dsize, char *buff, uint32_t vma, uin |
| 359 | 359 |
loc_edi += 4; |
| 360 | 360 |
loc_ebx = loc_edi; |
| 361 | 361 |
|
| 362 |
+ if (((uint64_t)count+6) * 4 > UINT_MAX) |
|
| 363 |
+ return -1; |
|
| 362 | 364 |
if (!CLI_ISCONTAINED(dest, dsize, loc_edi, ((6+count)*4))) |
| 363 | 365 |
return -1; |
| 364 | 366 |
cli_writeint32(loc_edi, 0xffffffff); |